Open navulirs opened 3 years ago
stevespringett
commented
3 years ago Introducing the ability to configure a team to bypass access control checks will have an impact for every user that is a member of that team. They too will have unrestricted access.
Some thought will have to be given to the proper design of this.
navulirs
commented
3 years ago Thanks for the response. It appears to interfere with BOM upload API with autoCreate=true. We create the projects using a Team API Key. However, would want to restrict user through UI to limited projects based on areas of responsibility.
valentijnscholten
commented
2 years ago A solution I was thinking of is to allow an optional Team name (or list of Team names) in the BOM upload request. This could be used for autocreation to assign the desired Team(s) to the Project ACL. This clutters the BOM upload request even more. But there is not really an alternative for users without ACCESS_MANAGEMENT permission. An alternative could be come kind of permission that would allow users to modify the ACL of Projects that they have access too only. That could work in combination with https://github.com/DependencyTrack/dependency-track/pull/1529 maybe.
The enhancement may already be reported! Please search for the enhancement before creating one.
We want to use one Team API-KEY for automated SBOM upload into Dependency-Tracker through API call and another Team API-KEY to access project components for limited set of projects.
Current Behavior:
When "Portfolio Access Control" is enabled, we couldn't use API with API-KEY for SBOM upload with create project option. The API returns access denied because the Team doesn't have permission for the project.
Proposed Behavior:
Portfolio Access Control should be enabled for select Teams. There can be Team with no portfolio access control.